X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/80e2389990082500d76eb566d4946be3e786c3ef..d8f41ccd20de16f8ebe2ccc84d47bf1cb2b26bbb:/libsecurity_codesigning/lib/drmaker.cpp diff --git a/libsecurity_codesigning/lib/drmaker.cpp b/libsecurity_codesigning/lib/drmaker.cpp deleted file mode 100644 index 1d72f8d8..00000000 --- a/libsecurity_codesigning/lib/drmaker.cpp +++ /dev/null @@ -1,197 +0,0 @@ -/* - * Copyright (c) 2012 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -// -// drmaker - create automatic Designated Requirements -// -#include "drmaker.h" -#include "csutilities.h" -#include -#include -//#include - -namespace Security { -namespace CodeSigning { - - -static const uint8_t adcSdkMarker[] = { APPLE_EXTENSION_OID, 2, 1 }; // iOS intermediate marker -const CSSM_DATA adcSdkMarkerOID = { sizeof(adcSdkMarker), (uint8_t *)adcSdkMarker }; - -static const uint8_t caspianSdkMarker[] = { APPLE_EXTENSION_OID, 2, 6 }; // Caspian intermediate marker -const CSSM_DATA devIdSdkMarkerOID = { sizeof(caspianSdkMarker), (uint8_t *)caspianSdkMarker }; -static const uint8_t caspianLeafMarker[] = { APPLE_EXTENSION_OID, 1, 13 }; // Caspian leaf certificate marker -const CSSM_DATA devIdLeafMarkerOID = { sizeof(caspianLeafMarker), (uint8_t *)caspianLeafMarker }; - - - -DRMaker::DRMaker(const Requirement::Context &context) - : ctx(context) -{ -} - -DRMaker::~DRMaker() -{ -} - - -// -// Generate the default (implicit) Designated Requirement for this StaticCode. -// This is a heuristic of sorts, and may change over time (for the better, we hope). -// -Requirement *DRMaker::make() -{ - // we can't make an explicit DR for a (proposed) ad-hoc signing because that requires the CodeDirectory (which we ain't got yet) - if (ctx.certCount() == 0) - return NULL; - - // always require the identifier - this->put(opAnd); - this->ident(ctx.identifier); - - SHA1::Digest anchorHash; - hashOfCertificate(ctx.cert(Requirement::anchorCert), anchorHash); - if (isAppleCA(anchorHash) -#if defined(TEST_APPLE_ANCHOR) - || !memcmp(anchorHash, Requirement::testAppleAnchorHash(), SHA1::digestLength) -#endif - ) - appleAnchor(); - else - nonAppleAnchor(); - - return Maker::make(); -} - - -void DRMaker::nonAppleAnchor() -{ - // get the Organization DN element for the leaf - CFRef leafOrganization; - MacOSError::check(SecCertificateCopySubjectComponent(ctx.cert(Requirement::leafCert), - &CSSMOID_OrganizationName, &leafOrganization.aref())); - - // now step up the cert chain looking for the first cert with a different one - int slot = Requirement::leafCert; // start at leaf - if (leafOrganization) { - while (SecCertificateRef ca = ctx.cert(slot+1)) { // NULL if you over-run the anchor slot - CFRef caOrganization; - MacOSError::check(SecCertificateCopySubjectComponent(ca, &CSSMOID_OrganizationName, &caOrganization.aref())); - if (!caOrganization || CFStringCompare(leafOrganization, caOrganization, 0) != kCFCompareEqualTo) - break; - slot++; - } - if (slot == ctx.certCount() - 1) // went all the way to the anchor... - slot = Requirement::anchorCert; // ... so say that - } - - // nail the last cert with the leaf's Organization value - SHA1::Digest authorityHash; - hashOfCertificate(ctx.cert(slot), authorityHash); - this->anchor(slot, authorityHash); -} - - -void DRMaker::appleAnchor() -{ - if (isIOSSignature()) { - // get the Common Name DN element for the leaf - CFRef leafCN; - MacOSError::check(SecCertificateCopySubjectComponent(ctx.cert(Requirement::leafCert), - &CSSMOID_CommonName, &leafCN.aref())); - - // apple anchor generic and ... - this->put(opAnd); - this->anchorGeneric(); // apple generic anchor and... - // ... leaf[subject.CN] = and ... - this->put(opAnd); - this->put(opCertField); // certificate - this->put(0); // leaf - this->put("subject.CN"); // [subject.CN] - this->put(matchEqual); // = - this->putData(leafCN); // - // ... cert 1[field.] exists - this->put(opCertGeneric); // certificate - this->put(1); // 1 - this->putData(adcSdkMarkerOID.Data, adcSdkMarkerOID.Length); // [field.] - this->put(matchExists); // exists - return; - } - - if (isDeveloperIDSignature()) { - // get the Organizational Unit DN element for the leaf (it contains the TEAMID) - CFRef teamID; - MacOSError::check(SecCertificateCopySubjectComponent(ctx.cert(Requirement::leafCert), - &CSSMOID_OrganizationalUnitName, &teamID.aref())); - - // apple anchor generic and ... - this->put(opAnd); - this->anchorGeneric(); // apple generic anchor and... - - // ... certificate 1[intermediate marker oid] exists and ... - this->put(opAnd); - this->put(opCertGeneric); // certificate - this->put(1); // 1 - this->putData(caspianSdkMarker, sizeof(caspianSdkMarker)); - this->put(matchExists); // exists - - // ... certificate leaf[Caspian cert oid] exists and ... - this->put(opAnd); - this->put(opCertGeneric); // certificate - this->put(0); // leaf - this->putData(caspianLeafMarker, sizeof(caspianLeafMarker)); - this->put(matchExists); // exists - - // ... leaf[subject.OU] = - this->put(opCertField); // certificate - this->put(0); // leaf - this->put("subject.OU"); // [subject.OU] - this->put(matchEqual); // = - this->putData(teamID); // TEAMID - return; - } - - // otherwise, claim this program for Apple Proper - this->anchor(); -} - -bool DRMaker::isIOSSignature() -{ - if (ctx.certCount() == 3) // leaf, one intermediate, anchor - if (SecCertificateRef intermediate = ctx.cert(1)) // get intermediate - if (certificateHasField(intermediate, CssmOid::overlay(adcSdkMarkerOID))) - return true; - return false; -} - -bool DRMaker::isDeveloperIDSignature() -{ - if (ctx.certCount() == 3) // leaf, one intermediate, anchor - if (SecCertificateRef intermediate = ctx.cert(1)) // get intermediate - if (certificateHasField(intermediate, CssmOid::overlay(devIdSdkMarkerOID))) - return true; - return false; -} - - -} // end namespace CodeSigning -} // end namespace Security